@desplega.ai/agent-swarm 1.78.1 → 1.79.0

package/src/tests/fixtures/sample-json-page.json

@@ -0,0 +1,52 @@
+{
+  "root": "root",
+  "elements": {
+    "root": {
+      "type": "Container",
+      "props": { "direction": "column", "gap": "md" },
+      "children": ["heading", "intro", "sdkBtn", "callBtn"]
+    },
+    "heading": {
+      "type": "Heading",
+      "props": { "text": "Sample JSON page", "level": "h1" },
+      "children": []
+    },
+    "intro": {
+      "type": "Text",
+      "props": {
+        "content": "Two buttons below dispatch swarm.sdk and swarm.call actions. Click each to exercise the renderer's action wiring.",
+        "tone": "muted"
+      },
+      "children": []
+    },
+    "sdkBtn": {
+      "type": "Button",
+      "props": { "label": "Create task via SDK" },
+      "children": [],
+      "on": {
+        "press": {
+          "action": "swarm.sdk",
+          "params": {
+            "sdk": "createTask",
+            "args": { "description": "from-json-page" }
+          }
+        }
+      }
+    },
+    "callBtn": {
+      "type": "Button",
+      "props": { "label": "Create channel via raw call", "variant": "secondary" },
+      "children": [],
+      "on": {
+        "press": {
+          "action": "swarm.call",
+          "params": {
+            "method": "POST",
+            "endpoint": "/api/channels",
+            "body": { "name": "from-json-page" }
+          }
+        }
+      }
+    }
+  }
+}

package/src/tests/launch-password-rejection.test.ts

@@ -0,0 +1,139 @@
+/**
+ * `POST /api/pages/:id/launch` must reject `auth_mode='password'` pages with
+ * 400 — password pages mint their own cookie out of the public `/p/:id`
+ * route (step-5) after verifying the password. Letting a bearer-only caller
+ * mint a cookie via `/launch` would bypass the password check entirely.
+ *
+ * In-process variant of the launch endpoint; matches the test wiring used by
+ * `pages-public-html.test.ts` and friends.
+ */
+import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+import crypto from "node:crypto";
+import { unlink } from "node:fs/promises";
+import {
+  createServer as createHttpServer,
+  type IncomingMessage,
+  type Server,
+  type ServerResponse,
+} from "node:http";
+import { closeDb, initDb } from "../be/db";
+import { handlePages } from "../http/pages";
+import { handlePagesPublic } from "../http/pages-public";
+import { getPathSegments, parseQueryParams } from "../http/utils";
+
+const TEST_DB_PATH = "./test-launch-password-rejection.sqlite";
+const TEST_PORT = 13050;
+const BASE = `http://localhost:${TEST_PORT}`;
+
+function createTestServer(): Server {
+  return createHttpServer(async (req: IncomingMessage, res: ServerResponse) => {
+    const pathSegments = getPathSegments(req.url || "");
+    const queryParams = parseQueryParams(req.url || "");
+    const myAgentId = req.headers["x-agent-id"] as string | undefined;
+    if (await handlePagesPublic(req, res, pathSegments, queryParams)) return;
+    if (await handlePages(req, res, pathSegments, queryParams, myAgentId)) return;
+    res.writeHead(404);
+    res.end("not found");
+  });
+}
+
+describe("POST /api/pages/:id/launch — password mode rejection (step-4)", () => {
+  let server: Server;
+  const agentId = crypto.randomUUID();
+  const headers = { "Content-Type": "application/json", "X-Agent-ID": agentId };
+
+  beforeAll(async () => {
+    process.env.PAGE_SESSION_SECRET = "test-launch-password-rejection-secret";
+    for (const suffix of ["", "-wal", "-shm"]) {
+      try {
+        await unlink(`${TEST_DB_PATH}${suffix}`);
+      } catch {}
+    }
+    initDb(TEST_DB_PATH);
+    server = createTestServer();
+    await new Promise<void>((resolve) => server.listen(TEST_PORT, () => resolve()));
+  });
+
+  afterAll(async () => {
+    await new Promise<void>((resolve) => server.close(() => resolve()));
+    closeDb();
+    for (const suffix of ["", "-wal", "-shm"]) {
+      try {
+        await unlink(`${TEST_DB_PATH}${suffix}`);
+      } catch {}
+    }
+  });
+
+  test("password page → launch returns 400 with explanatory error", async () => {
+    const post = await fetch(`${BASE}/api/pages`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        slug: "password-reject",
+        title: "Password",
+        contentType: "text/html",
+        authMode: "password",
+        password: "swordfish",
+        body: "<h1>locked</h1>",
+      }),
+    });
+    expect(post.status).toBe(201);
+    const { id } = (await post.json()) as { id: string };
+
+    const launch = await fetch(`${BASE}/api/pages/${id}/launch`, {
+      method: "POST",
+      headers: { "X-Agent-ID": agentId },
+    });
+    expect(launch.status).toBe(400);
+    const body = (await launch.json()) as { error: string };
+    expect(body.error).toContain("use ?key=");
+    // Confirm no cookie was issued on the rejected launch.
+    expect(launch.headers.get("set-cookie")).toBeNull();
+  });
+
+  test("authed page → launch still issues a cookie (negative control)", async () => {
+    const post = await fetch(`${BASE}/api/pages`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        slug: "authed-ok",
+        title: "Authed",
+        contentType: "text/html",
+        authMode: "authed",
+        body: "<h1>ok</h1>",
+      }),
+    });
+    expect(post.status).toBe(201);
+    const { id } = (await post.json()) as { id: string };
+
+    const launch = await fetch(`${BASE}/api/pages/${id}/launch`, {
+      method: "POST",
+      headers: { "X-Agent-ID": agentId },
+    });
+    expect(launch.status).toBe(204);
+    expect(launch.headers.get("set-cookie")).toContain("page_session=");
+  });
+
+  test("public page → launch still issues a cookie (uniform path)", async () => {
+    const post = await fetch(`${BASE}/api/pages`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        slug: "public-ok",
+        title: "Public",
+        contentType: "text/html",
+        authMode: "public",
+        body: "<h1>open</h1>",
+      }),
+    });
+    expect(post.status).toBe(201);
+    const { id } = (await post.json()) as { id: string };
+
+    const launch = await fetch(`${BASE}/api/pages/${id}/launch`, {
+      method: "POST",
+      headers: { "X-Agent-ID": agentId },
+    });
+    expect(launch.status).toBe(204);
+    expect(launch.headers.get("set-cookie")).toContain("page_session=");
+  });
+});

package/src/tests/page-proxy-authed.test.ts

@@ -0,0 +1,146 @@
+/**
+ * Extends the step-2 `page-proxy.test.ts` coverage to authed-mode pages.
+ *
+ * The proxy's auth model is "cookie is the auth" — it does NOT care whether
+ * the underlying page is `public`, `authed`, or `password`. This test simply
+ * confirms that an `auth_mode='authed'` page survives the same cookie flow:
+ * launch → cookie → /@swarm/api/agents/:id → 200 with the page owner's
+ * agent record.
+ *
+ * Spawns the real `src/http.ts` server (mirrors step-2's pattern) so we
+ * exercise the bearer gate + cookie + proxy in the same shape production
+ * runs.
+ */
+import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+import { randomUUID } from "node:crypto";
+import { unlink } from "node:fs/promises";
+import type { Subprocess } from "bun";
+
+const TEST_PORT = 19881;
+const TEST_DB_PATH = `/tmp/test-page-proxy-authed-${Date.now()}.sqlite`;
+const BASE = `http://localhost:${TEST_PORT}`;
+const API_KEY = "test-page-proxy-authed-key";
+const PAGE_SECRET = "test-page-proxy-authed-secret";
+
+let serverProc: Subprocess;
+const agentId = randomUUID();
+
+async function waitForServer(url: string, timeoutMs = 15000) {
+  const start = Date.now();
+  while (Date.now() - start < timeoutMs) {
+    try {
+      const r = await fetch(url);
+      if (r.ok) return;
+    } catch {}
+    await Bun.sleep(50);
+  }
+  throw new Error(`Server did not start within ${timeoutMs}ms`);
+}
+
+beforeAll(async () => {
+  for (const suffix of ["", "-wal", "-shm"]) {
+    try {
+      await unlink(`${TEST_DB_PATH}${suffix}`);
+    } catch {}
+  }
+
+  process.env.PAGE_SESSION_SECRET = PAGE_SECRET;
+
+  serverProc = Bun.spawn(["bun", "src/http.ts"], {
+    cwd: `${import.meta.dir}/../..`,
+    env: {
+      ...process.env,
+      PORT: String(TEST_PORT),
+      DATABASE_PATH: TEST_DB_PATH,
+      API_KEY,
+      PAGE_SESSION_SECRET: PAGE_SECRET,
+      MCP_BASE_URL: `http://127.0.0.1:${TEST_PORT}`,
+      CAPABILITIES: "core,task-pool,messaging,profiles,services,scheduling,memory",
+      SLACK_BOT_TOKEN: "",
+      GITHUB_WEBHOOK_SECRET: "",
+      AGENTMAIL_API_KEY: "",
+    },
+    stdout: "ignore",
+    stderr: "ignore",
+  });
+  await waitForServer(`${BASE}/health`);
+
+  const reg = await fetch(`${BASE}/api/agents`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${API_KEY}`,
+      "X-Agent-ID": agentId,
+    },
+    body: JSON.stringify({
+      name: "AuthedPageOwner",
+      isLead: false,
+      description: "Owner of the authed test page",
+      role: "worker",
+      capabilities: ["core"],
+      maxTasks: 1,
+    }),
+  });
+  if (reg.status !== 201 && reg.status !== 200) {
+    throw new Error(`Failed to register agent: ${reg.status} ${await reg.text()}`);
+  }
+}, 20000);
+
+afterAll(async () => {
+  if (serverProc) {
+    serverProc.kill();
+    try {
+      await serverProc.exited;
+    } catch {}
+  }
+  await Bun.sleep(50);
+  for (const suffix of ["", "-wal", "-shm"]) {
+    try {
+      await unlink(`${TEST_DB_PATH}${suffix}`);
+    } catch {}
+  }
+});
+
+describe("/@swarm/api/* proxy — authed-mode page", () => {
+  test("authed page: launch → cookie → proxy /agents/:id resolves to page owner", async () => {
+    // Create an authed HTML page owned by `agentId`.
+    const createRes = await fetch(`${BASE}/api/pages`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${API_KEY}`,
+        "X-Agent-ID": agentId,
+      },
+      body: JSON.stringify({
+        slug: `authed-${randomUUID().slice(0, 8)}`,
+        title: "Authed Proxy Test",
+        contentType: "text/html",
+        authMode: "authed",
+        body: "<h1>authed</h1>",
+      }),
+    });
+    expect(createRes.status).toBe(201);
+    const { id } = (await createRes.json()) as { id: string };
+
+    // Launch.
+    const launch = await fetch(`${BASE}/api/pages/${id}/launch`, {
+      method: "POST",
+      headers: { Authorization: `Bearer ${API_KEY}`, "X-Agent-ID": agentId },
+    });
+    expect(launch.status).toBe(204);
+    const setCookie = launch.headers.get("set-cookie");
+    expect(setCookie).toBeTruthy();
+    const cookieValue = /page_session=([^;]+)/.exec(setCookie!)?.[1];
+    expect(cookieValue).toBeTruthy();
+
+    // Drive the proxy with the cookie — should resolve to the page owner's
+    // /agents/:id record (not a 401, not a different identity).
+    const res = await fetch(`${BASE}/@swarm/api/agents/${agentId}`, {
+      headers: { Cookie: `page_session=${cookieValue}` },
+    });
+    expect(res.status).toBe(200);
+    const agent = (await res.json()) as { id: string; name: string };
+    expect(agent.id).toBe(agentId);
+    expect(agent.name).toBe("AuthedPageOwner");
+  });
+});

package/src/tests/page-proxy.test.ts

@@ -0,0 +1,266 @@
+/**
+ * Integration tests for the page-session cookie flow:
+ *   1. Create a page (bearer-auth) → POST /api/pages
+ *   2. Launch it → POST /api/pages/:id/launch → captures Set-Cookie
+ *   3. Hit /@swarm/api/me with the cookie → server-side bearer is injected,
+ *      X-Agent-ID is rewritten to the page owner's id → 200 with /me payload.
+ *
+ * Spawns the real `src/http.ts` server with API_KEY set so we exercise the
+ * full bearer + cookie + proxy chain, not the in-process handler in
+ * isolation.
+ */
+import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+import { randomUUID } from "node:crypto";
+import { unlink } from "node:fs/promises";
+import type { Subprocess } from "bun";
+import { signPageSession } from "../utils/page-session";
+
+const TEST_PORT = 19877;
+const TEST_DB_PATH = `/tmp/test-page-proxy-${Date.now()}.sqlite`;
+const BASE = `http://localhost:${TEST_PORT}`;
+const API_KEY = "test-page-proxy-key-12345";
+const PAGE_SECRET = "test-page-proxy-page-secret-67890";
+
+let serverProc: Subprocess;
+const agentId = randomUUID();
+
+async function waitForServer(url: string, timeoutMs = 15000) {
+  const start = Date.now();
+  while (Date.now() - start < timeoutMs) {
+    try {
+      const r = await fetch(url);
+      if (r.ok) return;
+    } catch {}
+    await Bun.sleep(50);
+  }
+  throw new Error(`Server did not start within ${timeoutMs}ms`);
+}
+
+beforeAll(async () => {
+  for (const suffix of ["", "-wal", "-shm"]) {
+    try {
+      await unlink(`${TEST_DB_PATH}${suffix}`);
+    } catch {}
+  }
+
+  // Match the spawned server's signing secret so cookies we hand-craft via
+  // signPageSession() in-process validate at the proxy.
+  process.env.PAGE_SESSION_SECRET = PAGE_SECRET;
+
+  serverProc = Bun.spawn(["bun", "src/http.ts"], {
+    cwd: `${import.meta.dir}/../..`,
+    env: {
+      ...process.env,
+      PORT: String(TEST_PORT),
+      DATABASE_PATH: TEST_DB_PATH,
+      API_KEY,
+      PAGE_SESSION_SECRET: PAGE_SECRET,
+      // Pin the upstream URL the proxy forwards to. Even though the proxy now
+      // talks to 127.0.0.1:$PORT directly (not deriveApiBaseUrl), strip any
+      // ambient ngrok/external MCP_BASE_URL to keep the test env minimal.
+      MCP_BASE_URL: `http://127.0.0.1:${TEST_PORT}`,
+      CAPABILITIES: "core,task-pool,messaging,profiles,services,scheduling,memory",
+      SLACK_BOT_TOKEN: "",
+      GITHUB_WEBHOOK_SECRET: "",
+      AGENTMAIL_API_KEY: "",
+    },
+    stdout: "ignore",
+    stderr: "ignore",
+  });
+  await waitForServer(`${BASE}/health`);
+
+  // Register the page-owner agent (so /me succeeds after the proxy rewrites
+  // X-Agent-ID to this id).
+  const reg = await fetch(`${BASE}/api/agents`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${API_KEY}`,
+      "X-Agent-ID": agentId,
+    },
+    body: JSON.stringify({
+      name: "PageOwner",
+      isLead: false,
+      description: "Owner of the test page",
+      role: "worker",
+      capabilities: ["core"],
+      maxTasks: 1,
+    }),
+  });
+  if (reg.status !== 201 && reg.status !== 200) {
+    throw new Error(`Failed to register agent: ${reg.status} ${await reg.text()}`);
+  }
+}, 20000);
+
+afterAll(async () => {
+  if (serverProc) {
+    serverProc.kill();
+    try {
+      await serverProc.exited;
+    } catch {}
+  }
+  await Bun.sleep(50);
+  for (const suffix of ["", "-wal", "-shm"]) {
+    try {
+      await unlink(`${TEST_DB_PATH}${suffix}`);
+    } catch {}
+  }
+});
+
+/** Helper: create a page owned by `agentId` and return its id. */
+async function createPage(): Promise<string> {
+  const res = await fetch(`${BASE}/api/pages`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${API_KEY}`,
+      "X-Agent-ID": agentId,
+    },
+    body: JSON.stringify({
+      slug: `t-${randomUUID().slice(0, 8)}`,
+      title: "Proxy Test",
+      contentType: "text/html",
+      authMode: "public",
+      body: "<h1>proxy test</h1>",
+    }),
+  });
+  expect(res.status).toBe(201);
+  const json = (await res.json()) as { id: string };
+  return json.id;
+}
+
+describe("/api/pages/:id/launch", () => {
+  test("issues HttpOnly Set-Cookie + 204", async () => {
+    const id = await createPage();
+    const res = await fetch(`${BASE}/api/pages/${id}/launch`, {
+      method: "POST",
+      headers: { Authorization: `Bearer ${API_KEY}`, "X-Agent-ID": agentId },
+    });
+    expect(res.status).toBe(204);
+    const cookie = res.headers.get("set-cookie");
+    expect(cookie).toBeTruthy();
+    expect(cookie!).toContain("page_session=");
+    expect(cookie!).toContain("HttpOnly");
+    expect(cookie!).toContain("Path=/");
+    expect(cookie!).toContain("Max-Age=3600");
+    // In dev (NODE_ENV != production) the cookie should be SameSite=Lax sans Secure.
+    expect(cookie!).toContain("SameSite=Lax");
+    expect(cookie!).not.toMatch(/\bSecure\b/);
+  });
+
+  test("404 for unknown page id", async () => {
+    const res = await fetch(`${BASE}/api/pages/${"0".repeat(32)}/launch`, {
+      method: "POST",
+      headers: { Authorization: `Bearer ${API_KEY}`, "X-Agent-ID": agentId },
+    });
+    expect(res.status).toBe(404);
+  });
+
+  test("401 without bearer", async () => {
+    const id = await createPage();
+    const res = await fetch(`${BASE}/api/pages/${id}/launch`, {
+      method: "POST",
+    });
+    expect(res.status).toBe(401);
+  });
+
+  test("OPTIONS preflight returns 204 with CORS headers when Origin set", async () => {
+    const id = await createPage();
+    const res = await fetch(`${BASE}/api/pages/${id}/launch`, {
+      method: "OPTIONS",
+      headers: { Origin: "http://localhost:5274" },
+    });
+    // /core's OPTIONS handler returns 204 first — but our route-specific
+    // OPTIONS handler in handlePages sets CORS headers. Either way the
+    // browser sees 204; verify the response is 204.
+    expect(res.status).toBe(204);
+  });
+});
+
+describe("/@swarm/api/* proxy", () => {
+  // The proxy rewrites `/@swarm/api/<rest>` → `/api/<rest>`. We use
+  // `/api/agents/<id>` as the canonical exerciser since it requires both
+  // bearer auth AND a valid agent id — proving the proxy injected both.
+  test("forwards GET /@swarm/api/agents/:id with cookie → 200 carrying page-owner agent", async () => {
+    const id = await createPage();
+    const launch = await fetch(`${BASE}/api/pages/${id}/launch`, {
+      method: "POST",
+      headers: { Authorization: `Bearer ${API_KEY}`, "X-Agent-ID": agentId },
+    });
+    expect(launch.status).toBe(204);
+    const setCookie = launch.headers.get("set-cookie");
+    expect(setCookie).toBeTruthy();
+
+    const cookieValue = /page_session=([^;]+)/.exec(setCookie!)?.[1];
+    expect(cookieValue).toBeTruthy();
+
+    const res = await fetch(`${BASE}/@swarm/api/agents/${agentId}`, {
+      headers: { Cookie: `page_session=${cookieValue}` },
+    });
+    expect(res.status).toBe(200);
+    const agent = (await res.json()) as { id: string; name: string };
+    expect(agent.id).toBe(agentId);
+    expect(agent.name).toBe("PageOwner");
+  });
+
+  test("rejects request without cookie → 401", async () => {
+    const res = await fetch(`${BASE}/@swarm/api/agents/${agentId}`);
+    expect(res.status).toBe(401);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("no page session");
+  });
+
+  test("rejects expired cookie → 401", async () => {
+    const expired = await signPageSession({
+      pageId: "deadbeef".repeat(4),
+      exp: Math.floor(Date.now() / 1000) - 60,
+    });
+    const res = await fetch(`${BASE}/@swarm/api/agents/${agentId}`, {
+      headers: { Cookie: `page_session=${expired}` },
+    });
+    expect(res.status).toBe(401);
+  });
+
+  test("rejects tampered signature → 401", async () => {
+    const id = await createPage();
+    const exp = Math.floor(Date.now() / 1000) + 3600;
+    const good = await signPageSession({ pageId: id, exp });
+    const [head, sig] = good.split(".");
+    const tamperedSig = `${sig!.slice(0, -1)}${sig!.slice(-1) === "A" ? "B" : "A"}`;
+    const bad = `${head}.${tamperedSig}`;
+    const res = await fetch(`${BASE}/@swarm/api/agents/${agentId}`, {
+      headers: { Cookie: `page_session=${bad}` },
+    });
+    expect(res.status).toBe(401);
+  });
+
+  test("rejects cookie for deleted page → 401", async () => {
+    // Sign a cookie referencing a never-existed page id. verifyPageSession
+    // returns the payload, getPage returns null → 401 "page session no
+    // longer valid". (Step-3 will ship DELETE; this test just exercises the
+    // proxy's missing-page branch without depending on it.)
+    const ghost = await signPageSession({
+      pageId: "fade".repeat(8),
+      exp: Math.floor(Date.now() / 1000) + 3600,
+    });
+    const res = await fetch(`${BASE}/@swarm/api/agents/${agentId}`, {
+      headers: { Cookie: `page_session=${ghost}` },
+    });
+    expect(res.status).toBe(401);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("page session no longer valid");
+  });
+
+  test("proxy does NOT require a bearer header (cookie is the auth)", async () => {
+    const id = await createPage();
+    const exp = Math.floor(Date.now() / 1000) + 3600;
+    const token = await signPageSession({ pageId: id, exp });
+    // Send WITHOUT Authorization header — pure cookie auth.
+    const res = await fetch(`${BASE}/@swarm/api/agents/${agentId}`, {
+      headers: { Cookie: `page_session=${token}` },
+    });
+    expect(res.status).toBe(200);
+    const agent = (await res.json()) as { id: string };
+    expect(agent.id).toBe(agentId);
+  });
+});